Illustrative image: Cybersecurity graphic (Source: iStock) | Standard Bank logo If you’re a Standard Bank customer and have had your personal details exposed in the banking group’s latest data breach, you should have been contacted by the bank’s staff already. If you haven’t been contacted, at least you can be rest assured that your CVV number hasn’t been compromised.
“We can confirm that, in a limited number of cases, the affected information also includes credit card details, specifically card number and expiry date. We are communicating directly with those clients and proactively replacing their cards as a precaution. CVV numbers are not impacted,” the bank said.
That was its response to Daily Maverick questions about the extent of the breach. As for the planned course of action – and customer recourse?
“We continue to strengthen controls and enhance monitoring in line with industry best practice to safeguard client information. We have reported this incident to the relevant regulatory and law enforcement authorities, and we continue to co-operate with their processes.”
Show me what you got
The Standard Bank communications team – in full crisis mode at this point, four full disclosures deep into Rootboy’s schedule – did not confirm nor deny that they were learning the extent of the leak, and the depth of detail, at the same time as the rest of the world.
But it is implied by the measured statements to the media.
Daily Maverick intentionally delayed any news of the breach until the details could be verified. The bank, to its credit, got ahead of the story with each development.
On 23 March it put out a statement:
“Standard Bank of South Africa has identified an incident involving unauthorised access to select data, and we immediately took steps to secure our environment and mitigate the impact. Our transactional systems remain secure and operational, and available to all our clients and employees. Our teams, supported by experts, have launched a full investigation into this incident.”
This was after the hackers had, according to a timeline and description of events published on the Prinz Eugen ransomware leak portal, already contacted the bank.
“Beginning on 27 February 2026, the three-week long attack on both Standard Bank and Liberty has resulted in 1.2TB of data being exfiltrated from internal servers. A peaceful resolution was sought out with Standard Bank; however, after two weeks of back and forth they made the decision to abandon their customers.” (Excerpt edited to suite Daily Maverick house style.)
“The haul of more than 154,000,000 rows of exported SQL data includes but is not limited to:
“Customer PII (Full Names, Addresses, Emails, Phone Numbers, South African ID Numbers, Drivers License Numbers, Passport Numbers, Credit Card Numbers, Account Numbers), Detailed Employee Data, Bulk Customer and Corporate Transactional Data.
“Publications will intensify until the goal of 1BTC is reached.”
Not at liberty to say
What is currently unclear is the extent of the Liberty side of the breach. There is a holding statement, undersigned by Liberty CEO Yuresh Maharaj, that reads eerily similar to the original Standard Bank one:
“Liberty detected unauthorised third-party access to select data systems, and we immediately took steps to contain and mitigate the impact. Our services remain unaffected, fully operational and available to all our clients, advisers and employees. Your investments and policies remain secure. Our team, supported by experts, has launched a full investigation into this incident. We operate within a robust regulatory framework and fully comply with all applicable obligations. We are notifying all affected clients. We regret any concern this may have caused.”
In the articles section of liberty.co.za, however, there is no word of the hack. You can read about obesity and women’s health, as well as South Africa’s growing insurance gap – articles published around the time when the institution would’ve known about the hack; but nothing informing panicked customers about the extent of the risk.
Standard Bank, however, issued an update on 2 April:
“Our banking systems were not impacted. They remain secure and operational and available to all our clients and employees. Our teams, supported by experts, continue with the ongoing investigations into this incident.”
And again this week, when the first data dump which included 5,000 lines of customer data – some of which have been seen by Daily Maverick to verify the detailed nature of the customer information (ID numbers, home addresses, employment details, etc.) – was published:
“The affected systems were internal administrative and document filing systems. Our transactional banking and core operating systems were not accessed, remain secure, and are available to all our clients and employees.
“We would like to once again reassure you that we immediately took steps to secure our environment to mitigate the impact of this incident, working with external experts.
“During this period, we continue to work tirelessly to engage with our clients who have been impacted. This will continue while we make meaningful progress in our investigations into the incident. Due to the nature of the incident, we have been preparing for the possibility of client and company-related data being made public, which now appears to have been published.
“Protecting our clients remains our highest priority and we have, therefore, implemented a range of proactive measures, including enhanced monitoring of credit bureau activity, additional transaction monitoring and fraud detection across our platforms. Additional proactive precautionary steps continue to be implemented to further safeguard affected clients. We also encourage our clients to remain vigilant.
“As a trusted financial services provider, as we proceed with the intensive investigation process, we have complied with applicable regulatory notification requirements and will continue to cooperate with the relevant authorities.
“We realise that this may be concerning for our clients and our stakeholders, we wish to thank them for their patience and trust.”
Winning back trust
Rootboy was big enough to reach out to the affected parties. The threat actor has been remarkably consistent and punctual. The first data package was 5,000 lines. The next, 25,000. And then 50,000 yesterday (including staff data from SAP), as well as 100,000 today.
The full package is 154 million rows.
Standard Bank did not answer questions about the company’s ransom protocol. And ditto for its knowledge of what exact data was stolen and how the hackers got hold of it.
The bank has asked for patience and trust. This writer is a lifelong customer and is seeing the stolen data in realtime, quite clearly (given the evidence and statements) at the same time as the bank. The clock is ticking. DM